Ciphersuites for CAPWAP-DTLS

This chapter explains how to configure, prioritize, and verify DTLS ciphersuites for AP CAPWAP connections on Cisco controllers, including default selections, commands, server-preference behavior, and compatibility or downgrade considerations.

Default ciphersuites supported for CAPWAP-DTLS

Starting with Cisco IOS XE Bengaluru 17.5.1, the Elliptic Curve Diffie-Hellman Ephemeral (ECDHE) or Galois Counter Mode (GCM) ciphersuite with perfect forward secrecy (PFS) is included in the default list, together with the existing AES128-SHA ciphersuite. All Cisco AP models, except Cisco IOS APs, prioritize the PFS ciphersuite for CAPWAP-DTLS under the default configuration.

Note

If link encryption is enabled for secure data channel traffic, the COS AP (DTLS client) prioritizes DHE-RSA-AES128-SHA over the ECDHE or GCM ciphersuite.

  • The preference order of the ciphersuites during the DTLS handshake is important. You can set the priority order when configuring cipher suites using this feature.

  • When explicit ciphersuites are not configured, the default ciphersuites listed in the table apply.

Table 1. Default Ciphersuites
Security Mode Ciphersuite
FIPS and non-FIPS

•TLS_RSA_WITH_AES_128_CBC_SHA

• TLS_DHE_RSA_WITH_AES_128_CBC_SHA

• TLS_DHE_RSA_WITH_AES_256_CBC_SHA

• TLS_DHE_RSA_WITH_AES_256_CBC_SHA256

• TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

• TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

• TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
WLANCC

•TLS_DHE_RSA_WITH_AES_128_CBC_SHA

• TLS_DHE_RSA_WITH_AES_256_CBC_SHA

• TLS_DHE_RSA_WITH_AES_256_CBC_SHA256

• TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

• TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

• TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

This feature is supported on all variants of Cisco Catalyst 9800 Series Wireless Controllers and APs, except for Cisco Industrial Wireless 3702 AP.

Refer to the release notes for a list of supported controllers and APs for each release: https://www.cisco.com/c/en/us/support/wireless/catalyst-9800-series-wireless-controllers/products-release-notes-list.html.

Configure multiple ciphersuites (CLI)

Configure the allowed ciphersuites for AP DTLS on the controller using commands.

Note

  • If a controller is loaded with a startup configuration using a ciphersuite selection configuration that predates Cisco IOS XE Bengaluru 17.5.1, it is automatically converted to the latest ciphersuite selection version.

  • Changing the ciphersuite configuration causes APs to disconnect and reconnect.

  • If you downgrade to a Cisco IOS XE Bengaluru version earlier than 17.5.1, the ciphersuite configurations are lost.

  • When downgrading to a version below 17.12.1 in FIPS mode or WLANCC mode, verify that the ECDHE-RSA-AES128-GCM-SHA256 cipher suite is selected for AP DTLS. By default, it is selected. Otherwise, the downgrade causes connectivity issues for all Cisco Wave 2 APs.

  • This can be verified by using the show wireless certification config command.

Procedure

Step 1

Enter the global configuration mode.

Example:

Device# configure terminal

Step 2

Set priority for a particular cipher suite.

Example:

Device(config)# ap dtls-ciphersuite priority-num ciphersuite

Use zero to set the highest priority.

Note

 

Any configuration change will automatically disconnect all currently connected APs.

Step 3

Return to the privileged EXEC mode.

Example:

Device(config)# exit

Set server preference (CLI)

Configure whether the server dictates ciphersuite priority order during a DTLS handshake for AP join profiles using commands.

The ciphersuite configuration enforces the priority order during the DTLS handshake. To give equal priority to all configured ciphersuites, use the no ciphersuite server-preference command in the corresponding AP join profile. By default, server preference is enabled.

Procedure

Step 1

Enter the global configuration mode.

Example:

Device# configure terminal

Step 2

Configure an AP profile and enter the AP profile configuration mode.

Example:

Device(config)# ap profile profile-name

Step 3

Set the cipher suite server preference.

Example:

Device(config-ap-profile)# [no] ciphersuite server-preference

Use the no form of this command to disable server preference. By default, server preference is enabled.

Step 4

Return to global configuration mode.

Example:

Device(config)# exit

Verify operational ciphersuites and priority

To view the operational ciphersuites and their priority, use this command: 

Device# show wireless certification config

WLANCC                        : Not Configured
AP DTLS Version               : DTLS v1.0 - v1.2

AP DTLS Cipher Suite List:

  Priority                Ciphersuite
--------------------------------------------------------------------------------
   0                      AES128-SHA
   1                      DHE-RSA-AES256-SHA256